CVE-2026-33658 is a resource exhaustion vulnerability classified under CWE-770, affecting the Active Storage proxy controller in Ruby on Rails versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1. Active Storage facilitates attaching cloud and local files in Rails applications. The vulnerability stems from the lack of limits on the number of byte ranges accepted in the HTTP Range header. HTTP Range headers allow clients to request specific portions of a file, typically to resume interrupted downloads or stream media. However, the proxy controller does not throttle or restrict the number of these byte ranges, enabling an attacker to send a request with thousands of small ranges. Processing these numerous ranges consumes excessive CPU resources disproportionately compared to normal requests, leading to potential denial-of-service (DoS) conditions by exhausting server processing capacity. The vulnerability requires the attacker to have at least low privileges (PR:L) but does not require user interaction or authentication beyond that. The CVSS 4.0 base score is 2.3, reflecting low severity due to limited impact scope and exploitation complexity. No known exploits have been reported in the wild. The issue is addressed in Rails versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 by implementing limits or throttling on the number of byte ranges processed in the HTTP Range header, thereby preventing resource exhaustion.

The primary impact of this vulnerability is a denial-of-service condition caused by excessive CPU consumption when processing maliciously crafted HTTP Range headers with numerous byte ranges. For organizations running vulnerable versions of Rails with Active Storage enabled, this can lead to degraded application performance or complete service outages, affecting availability. This may disrupt business operations, especially for web applications relying on file attachments or streaming features. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can be significant in high-traffic environments or where resource constraints exist. Exploitation requires sending specially crafted HTTP requests, which can be automated and scaled, potentially allowing attackers to disrupt services remotely without authentication. However, the low CVSS score and absence of known exploits suggest limited immediate risk. Organizations with public-facing Rails applications using affected versions should consider the risk in the context of their exposure and threat landscape.

Organizations should upgrade to the patched Rails versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 as soon as possible to eliminate this vulnerability. If immediate upgrading is not feasible, implement web application firewall (WAF) rules to detect and block HTTP requests containing an excessive number of byte ranges in the Range header. Rate limiting and request size restrictions can also help mitigate potential abuse. Monitoring server CPU usage and HTTP request patterns for anomalies related to Range headers can provide early detection of exploitation attempts. Developers should review custom Active Storage proxy controller implementations to ensure they enforce limits on Range header processing. Additionally, consider isolating or load balancing critical services to reduce the impact of potential DoS attacks. Regularly audit and update dependencies to maintain security posture.